Qhost trojan - how sensitive is Nod32? ;-)

Discussion in 'NOD32 version 2 Forum' started by jayt, Sep 26, 2004.

Thread Status:
Not open for further replies.
  1. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    I have a friend in Odessa, Uk and his computer is infected with Qhost trojan. I was trying to help him clean it. Sent him copy of Stinger.exe, Symantec Qhost trojan remover, Spybot, Ad-aware, etc. He tried running all the tools in Safe Mode having disabled System Restore. No luck. So, while searching Google for manual removable instructions, I clicked on www.f-secure.com/v-descs/qhost.shtml , and immediately IMON pops up and tells me that I have Qhost trojan. I terminated it and of course I do not have the trojan. How's that for hyper-sensitivity? :D
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sounds like a False Positive, can you send that link to Eset.

    sample@nod32.com I think would be best.


    As to helping your friend, there is a link here that should get her all cleaned up...

    Hope this helps...

    Let us know how you go...

    Cheers :D
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I think Eset and F-Secure need to take a look at the page. IMON picks it up as infected, when you click terminate connection, the page continues to load and then the browser( in this case firefox) says the object contains no data after the viewable portion of the page is done loading. I am not sure if IMON is just picking up on the localhost changes displayed on the page as they are a trojaned host file or something else.
     
  4. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    flyrfan111 - that is my experience also. I am using Firefox, and after IMON pops up with the infection warning and I terminate, the page does, as you say, continue to load, but a little box pops up that says "empty file". I was just wondering if Nod32 was that sensitive to F-secure or what. But as you say, Nod32 and F-secure should take a look at that page.
    Blackspear, is there any point in sending link to Nod32 support? It is posted here. All they have to do is click it. :D
     
  5. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    439
    Tried the same myself and got the same result. Cool though, I am impressed at its sensitivity.
    Have only got it all set up today after running NAV, liking it now after the setting up process, takes a bit of getting used to but has grown on me now.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sometimes you will receive a quicker response by doing so...

    Cheers :D
     
  7. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Looks like the site loads fine now. Must have been an FP (and fixed ;) ).

     
  8. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Looks like you are correct rumpstah. Maybe we had something to do with it? :rolleyes:
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    LOL, good to see there has been a result...

    Cheers :D
     
Thread Status:
Not open for further replies.